Unable to access external website from desktops but can ping and access from server and from externals

Hi all . I inherited a small network .
I am stumped by a problem and I hope you can help .
I have a website which can be accessed externally and i am able to ping and access from the server .
However when i attempt to access it from any desktops on my network I am unable to do so .
Will not display page .
I have done nslookups from both the server which works and from the desktop which doesn't.
They both resolve to the same adddess so it does not appear to be a dns issue .
When I launch tracert from the server it completes .
When I launch it from the desktops it times out before the final hop .
I am thinking it may be a firewall issue but I am unsure what I should do to verify this . Again since the server is able to resolve and ping the address I am stumped by this issue .
Thanks for your help
Andre PAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jkaiosIT DirectorCommented:
What type/version of OS is on the desktops?

Can you temporarily turn off the firewall on the desktops (if currently on) and test again?
Andre PAuthor Commented:
Thank you so much for responding

Windows 7 is on the desktops and I have turned off firewalls no dice ... There is a sonic firewall on the network but since the server is able to receive pings .. I am not sure if it is a factor
jkaiosIT DirectorCommented:
Accessing the server is different than pinging it.

What do you mean exactly by "external website"?  Is it a web server somewhere on the Internet and what is the address or IP?  What kind of web server - IIS, Apache, other?
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Andre PAuthor Commented:
its the companies web page .
The point is im able to browse the page externally and also internally from the sbs server only .
The desktops are unable to do so though . Nslookup shows the same non authorative (both on desktop and sbs server and externals) i know the DNS is resolving to the correct ip address . Then i tried to ping the address .. from the sbs server where it can be browsed ..ping works so icmp is being passed through the firewall at least to the server .I tried tracert and it was sucessful .

From the desktop ..internal when it fails .. i cannot ping and tracert gets to the last hop then times out and so i believe there is the beginning of the problem
i just dont know how to troubleshoot from there .
jkaiosIT DirectorCommented:
Is there any access restrictions on the web server that denies "certain" IP address range?

Is the SBS server on a static IP address?
jkaiosIT DirectorCommented:
What's the exact error message on the desktop PCs?

Also can you try other browser like Firefox n Chrome on the desktop?
Asif BacchusI.T. ConsultantCommented:
Just to be clear, this website is hosted on an external server, not your SBS server, correct?
Andre PAuthor Commented:
Its hosted internally
Andre PAuthor Commented:
Sorry hosted by network solutions
Andre PAuthor Commented:
So where we are is that none of the computers on the LAN except for the server can reach the website which is hosted externally .
the dns settings all resolve to the same ip address . Only the server can successfully ping that address.
All other machines time out at the final hop .( using tracert)
Andre PAuthor Commented:
Page not found --Using Chrome ..
The SBS server is a static address
jkaiosIT DirectorCommented:
Are the desktops using the same DNS address configuration as the SBS server?

Is it possible to provide the ip config /all of the desktops and the SBS server?
Rob GMicrosoft Systems EngineerCommented:
Sounds like you have the bindings set for external access only..
I assume this is IIS.. can you tell me what version?

Is the binding set to an external only address?
Or is the Binding set to an internal address?
What does the DNS look like?
Asif BacchusI.T. ConsultantCommented:
If your website is hosted externally, then IIS bindings shouldn't matter on your end.  Do you have a DNS entry on your server corresponding to the website in question?  Are you forwarding the website from IIS back out to the external website instead of allowing direct access?  Are you using a firewall/gateway/router device and are they any restrictions as to outgoing traffic on that device for computers behind it?
Andre PAuthor Commented:
Asif ,
I initally put a host entry in the forwarding zone
corresponding named www
and companyname.com
and the external ip address
ran ipconfig /flushdns
This did nothing.
then i changed the address to the server internal address.
I just got the IIs screen.
I deleted that .
There is a sonicwall device .
I do not know what to look for on there though
If you could let me know what entry I should be looking for that would help .
Thank you for your help .
Andre PAuthor Commented:
Here is how the tracert looks .
and here is the ipconfig /all for desktop and server
Asif BacchusI.T. ConsultantCommented:
Since your website is hosted by an external company, and it's accessible from the internet by other computers, it means they are taking care of the DNS records.  Therefore, you should *not* have any entries whatsoever on your DNS relating to your external website.  Just let DNS resolution happen as it does for all other external websites.  If you have an entry in your DNS server, that is likely the problem.

Regarding your SonicWALL, I doubt there is any problem there.  But, to be sure, check your Firewall > Access Rules and makes sure you don't have outgoing access to your website IP (specifically) blocked from any internal IP source addresses.

Let me know if either of these steps help.
Andre PAuthor Commented:
No entry in sonic wall ,
No entry in SBS DNS.
Of note typing in the website address on the browser .Brings up an IIS7 default screen .
Question :
If the tracert fails after that many hops just before the destination , Could that indicate the problem lies with the hosting service ?
What makes my brain itch is that the server itself can access the site .
What am i missing here .
Are there any tools to trace this ?
Asif BacchusI.T. ConsultantCommented:
Shot in the dark here:  Do you have any entries in the hosts file on the workstations that could be causing this?  Also, have you flushed the DNS cache on the workstations?  The fact that they are showing an IIS splash screen seems to suggest they are still trying to access the server.  Your local IIS and your corporate (external) website don't have the same DNS name, do they?
Andre PAuthor Commented:
The server name is MLmain. Where would I double check if the IIS has the same name ?
Andre PAuthor Commented:
Flushed the DNS cache,
if the IIS had the same name would'nt NSlookup www.company.com resolve to the local server which would cause the problem ?
I am not sure where to look to verify that this isnt the case
Please Advise
Asif BacchusI.T. ConsultantCommented:
Yes, you would think that the nslookup would just resolve to the server at that point, but then again, we're just trying to rule things out at this point since this problem is a little strange on its own.  

Please check your forward lookup zones in your DNS to see if there is any mention of www.company.com.  There shouldn't be, since you are correctly using a .local domain for your network.  If it's in there, maybe take a screenshot so we can look at the settings.

I had another thought also.  Are all of your machines behind the SonicWALL?  Or does your server have one external IP and your workstations are using a different NAT'ed IP?
Andre PAuthor Commented:
Asif ..
Well thats a thought ,,
Remote.company.com is set up on the server .
Remote Web services is set to use remote,company.com
How do I check if the Sonic has an external set strictly for the server ?
Asif BacchusI.T. ConsultantCommented:
remote.company.com is ok, that's pretty standard.  Instead of digging around SonicWALL, let's do something simpler.

1)   From your server, go to http://www.whatsmyip.org/ and note the IP address
2)   From one of your workstations, also go to http://www.whatsmyip.org/ and note the IP address

If (1) and (2) are the same, then we don't have separate IPs and you are NAT'ing the same address so that isn't a problem.  If you have different IPs then please post back and we'll discuss.

Do you mind me asking what your actual public website is?  I would like to take a look at it's DNS record and see if I can find any clues.  I assume since it's a public website, you wouldn't mind?  If you'd prefer, you could private message me on the site so it isn't posted here.
Andre PAuthor Commented:
They are different.
server is x.x.x.154
desktop is x.x.x.155
This is the first clue so far !!! Great !!!
What do I do next ?
Asif BacchusI.T. ConsultantCommented:
At this point, I'd check with your hosting company to see if they are blocking the x.x.x.155 address for some reason.  I did not see anything glaringly obvious in the public DNS record or the site, aside from a mismatched SSL certificate, which is of no concern here.

As for checking more things on your end:  Since you've ruled out your local DNS and hosts files, I can't think of much else for you to check.  If something hits me later tonight, I'll update the post.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Andre PAuthor Commented:
Wow !
Thanks so much for your help !  Will look into that also and keep you posted .
So there is no chance that  x.x.x.155 is somehow affected by the sonicwall ?
( I am not a sonic wall expert)
Asif BacchusI.T. ConsultantCommented:
No problem, hopefully we've got you on the path to resolving this issue!  

Regarding the second IP address, it is possible that your SonicWALL is the cause but since you didn't see any outgoing rules when you checked earlier, I really don't think so.

If you want to be totally sure, you can put one of your clients in a DMZ.  I'm going to assume you are using NAT mode.  If so, this is the procedure

1)   Log into your SonicWALL device
2)   Click Network > Interfaces
3)   Find an unassigned zone, click Configure
4)   Select DMZ from the Zone drop-down box.  Select Static from the IP Assignment drop-down
5)   Enter the IP address and subnet mask of one of your workstations
6)   Check an option next to Management to enable remote management of the DMZ
7)   Check HTTP/HTTPS next to user login
8)   Click OK

Your specified workstation should now be in a DMZ and have unrestricted internet access.  Verify this by going to http://www.whatsmyip.org/ from the workstation in the DMZ and noting it's IP.  Assuming it's still the x.x.x.155, then try accessing your public website.  At this point (since we are in a DMZ) the firewall is not blocking any traffic to that workstation and no rules are being applied.  So, if you can view the website, then your SonicWALL is indeed blocking the workstations.  If you cannot view the website still, then it has nothing to do with your SonicWALL.  If your address at  http://www.whatsmyip.org/ is not the x.x.x.155 address any more, then post back and let me know what it reports as your address.
Andre PAuthor Commented:
Need to get permission to try this .
Will let you know .
Andre PAuthor Commented:
Situation RESOLVED .!!!!
Special shout out to Assif .
Turns out the Ip address x.x.x.155 needed to be whitelisted at the hosting site .
Thank you so much for the help !
You guys were amazing !!
Never used this exchange before to help resolve an issue  .
Will be looking to pay it forward myself.
Thanks a million !
Asif BacchusI.T. ConsultantCommented:
It's always the little things, glad you got it sorted out!  Now, go enjoy your weekend! :-)
Andre PAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for Andre P's comment #a40456612

for the following reason:

The help received here allowed me to narrow it down .
Because the tracert timed out within the area covered b the host company we were able to determine that the problem lay there .
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.